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Abstract. We propose an extension of the asynchronous 7r-calcuhis with 
a notion of random choice. We define an operational semantics which dis- 
tinguishes between probabilistic choice, made internally by the process, 
and nondeterministic choice, made externally by an adversary scheduler. 
This distinction will allow us to reason about the probabilistic correctness 
of algorithms under certain schedulers. We show that in this language 
we can solve the electoral problem, which was proved not possible in 
the asynchronous 7r-calculus. Finally, we show an implementation of the 
probabilistic asynchronous 7r-calculus in a Java-like language. 



1 Introduction 

The 7r-calculus ([5,6]) is a very expressive specification language for concurrent 
programming, but the difficulties in its distributed implementation challenge 
its candidature to be a canonical model of distributed computation. Certain 
mechanisms of the 7r-calculus, in fact, require solving a problem of distributed 
consensus. 

The asynchronous 7r-calculus ([3,2]), on the other hand, is more suitable 
for a distributed implementation, but it is rather weak for solving distributed 
problems ([9]). 

In order to increase the expressive power of the asynchronous 7r-calculus we 
propose a probabilistic extension, 7r pa , based on the probabilistic automata of 
Segala and Lynch ([12]). The characteristic of this model is that it distinguishes 
between probabilistic and nondeterministic behavior. The first is associated with 
the random choices of the process, while the second is related to the arbitrary 
decisions of an external scheduler. This separation allows us to reason about ad- 
verse conditions, i.e. schedulers that "try to prevent" the process from achieving 
its goal. Similar models were presented in [14] and [15]. 

Next we show an example of distributed problem that can be solved with 
n pa , namely the election of a leader in a symmetric network. It was proved in 
[9] that such problem cannot be solved with the asynchronous 7r-calculus. We 
propose an algorithm for the solution of this problem, and we prove that it is 
correct, i.e. that the leader will eventually be elected, with probability 1, under 
every possible scheduler. Our algorithm is reminiscent of the algorithm used in 
[10] for solving the dining philosophers problem, but in our case we do not need 
the fairness assumption. Also, the fact that we give the solution in a language 



provided with a rigorous operational semantics allows us to give a more formal 
proof of correctness. 

Finally, we define a "toy" distributed implementation of the 7Tp a - calculus 
into a Java-like language. The purpose of this exercise is to prove that n pa is a 
reasonable paradigm for the specification of distributed algorithms, since it can 
be implemented without loss of expressivity. 

The novelty of our proposal, with respect to other probabilistic process alge- 
bras which have been defined in literature (see, for instance, [13]), is the definition 
of the parallel operator in a CCS style, as opposed to the SCCS style. Namely, 
parallel processes are not forced to proceed simultaneously. Note also that for 
general probabilistic automata it is not possible to define the parallel operator 
([11]), or at least, there is no natural definition. In 7Tp a the parallel operator can 
be defined as a natural extension of the non probabilistic case, and this can be 
considered, to our opinion, another argument in favor of the suitability of n pa 
for distributed implementation. 

2 Preliminaries 

In this section we recall the definition of the asynchronous 7r-calculus and the 
definition of probabilistic automata. We consider the late semantics of the n- 
calculus, because the probabilistic extension of the late semantics is simpler 
than the eager version. 

2.1 The asynchronous 7r-calculus 

We follow the definition of the asynchronous 7r-calculus given in [1], except that 
we will use recursion instead of the replication operator, since we find it to 
be more convenient for writing programs. It is well known that recursion and 
replication are equivalent, see for instance [4]. 

Consider a countable set of channel names, x,y, . . ., and a countable set of 
process names X,Y,.. .. The prefixes a, (3, . . . and the processes P,Q, ■ ■ ■ of the 
asynchronous 7r-calculus are defined by the following grammar: 

Prefixes a ::= x(y) \ t 
Processes P ::~ xy \ J2i a i-Pi I VX P I P I P I X \ recxP 

The basic actions are x(y), which represents the input of the (formal) name 
y from channel x, xy, which represents the output of the name y on channel x, 
and t, which stands for any silent (non-communication) action. 

The process ^2iOCi.Pi represents guarded choice on input or silent prefixes, 
and it is usually assumed to be finite. We will use the abbreviations (inaction) 
to represent the empty sum, a.P (prefix) to represent sum on one element only, 
and P + Q for the binary sum. The symbols vx and | are the restriction and the 
parallel operator, respectively. We adopt the convention that the prefix operator 
has priority wrt + and |. The process recxP represents a process X defined 



as X = P, where P may contain occurrences of X (recursive definition). We 
assume that all the occurrences of X in P arc prefixed. 

The operators vx and y(x) are x-binders, i.e. in the processes vxP and y(x).P 
the occurrences of x in P are considered bound, with the usual rules of scoping. 
The free names of P, i.e. those names which do not occur in the scope of any 
binder, are denoted by fn(P). The alpha- conversion of bound names is defined 
as usual, and the renaming (or substitution) P[y/x] is defined as the result of 
replacing all free occurrences of x in P by y, possibly applying alpha-conversion 
in order to avoid capture. 

The operational semantics is specified via a transition system labeled by 
actions fi, These are given by the following grammar: 

Actions /i ::— x(y) \ xy | x(y) | r 

Essentially, we have all the actions from the syntax, plus the bound output x(y). 
This is introduced to model scope extrusion, i.e. the result of sending to another 
process a private (^-bound) name. The bound names of an action /z, bn(fx), are 
defined as follows: bn(x(y)) = bn(x(y)) — {y}; bn(xy) = bn(r) = 0. Further- 
more, we will indicate by n(/x) all the names which occur in /i. 

The rules for the late semantics are given in Table 1. The symbol = used in 
Cong stands for structural congruence, a form of equivalence which identifies 
"statically" two processes and which is used to simplify the presentation. We 
assume this congruence to satisfy the following: 

(i) P = Q if Q can be obtained from P by alpha-renaming, notation P = a Q, 

(ii) P\Q = Q\P, 

(iii) rec x P = P[rec x P/X], 

Note that communication is modeled by handshaking (Rules Com and Close) . 
The reason why this calculus is considered a paradigm for asynchornous commu- 
nication is that there is no primitive output prefix, hence no primitive notion of 
continuation after the execution of an output action. In other words, the process 
executing an ouptut action will not be able to detect (in principle) when the 
corresponding input action is actually executed. 

2.2 Probabilistic automata, adversaries, and executions 

Asynchronous automata have been proposed in [12] . We simplify here the original 
definition, and tailor it to what we need for defining the probabilistic extension 
of the asynchronous 7r-calculus. The main difference is that we consider only 
discrete probabilistic spaces, and that the concept of deadlock is simply a node 
with no out-transitions. 

A discrete probabilistic space is a pair (X, pb) where A is a set and pb is a 
function pb : X — > (0, 1] such that ^2 x€X pb(x) = 1- Given a set Y, we define 

Prob(Y) = {(X,pb) \ X CY and (X, pb) is a discrete probabilistic space}. 
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Table 1. The late- instantiation transition system of the asynchronous 7r-calculus. 



Given a set of states S and a set of actions A, a probabilistic automaton on S 
and A is a triple (S, T, s ) where s e S (initial state) and T C S x Prob(A x 
£). We call the elements of T transition groups (in [12] they are called steps). 
The idea behind this model is that the choice between two different groups is 
made nondcterministically and possibly controlled by an external agent, e.g. a 
scheduler, while the transition within the same group is chosen probabilistically 
and it is controlled internally (e.g. by a probabilistic choice operator). If at 
most one transition group is allowed for each state, the automaton is called 
fully probabilistic. Figures 1 and 2 give examples of a probabilistic and a fully 
probabilistic automaton, respectively. 

In [12] it is remarked that this notion of automaton subsumes and extends 
both the the reactive and generative models of probabilistic processes ([13]). In 
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Fig. 1. Example of a probabilistic automaton M. The transition groups are labeled by 
I, II, VI 



particular, the generative model corresponds to the notion of fully probabilistic 
automaton. 

We define now the notion of execution of an automaton under a scheduler, 
by adapting and simplifying the corresponding notion given in [12]. A scheduler 
can be seen as a function which solves the nondcterminism of the automaton by 
selecting, at each moment of the computation, a transition group among all the 
ones allowed in the present state. Schedulers are sometimes called adversaries, 
thus conveying the idea of an external entity playing "against" the process. 
A process is robust wrt a certain class of adversaries if it gives the intended 
result for each possible scheduling imposed by an adversary in the class. Clearly, 
the reliability of an algorithm depends on how "smart" the adversaries of this 
class can be. We will assume that an adversary can decide the next transition 
group depending not only on the current state, but also on the whole history of 
the computation till that moment, including the random choices made by the 
automaton. 

Given a probabilistic automaton M = (S, T, s ), define tree(M) as the tree 
obtained by unfolding the transition system, i.e. the tree with a root no labeled 
by so, and such that, for each node n, if s € S is the label of n, then for each 
(s, (X,pb j) 6 T, and for each (it, s') e X, there is a node n' child of n labeled 
by s' , and the arc from n to n' is labeled by /i and pb(/i,s'). We will denote 
by nodes (M) the set of nodes in tree(M), and by state(n) the state labeling a 
node n. Example: Figure 3 represents the tree obtained from the probabilistic 
automaton M of Figure 1. 

An adversary for M is a function £ that associates to each node n of tree(M) 
a transition group among those which arc allowed in state(n). More formally, ( : 
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Fig. 2. A fully probabilistic automaton 



nodes(M) — > Prob(A x S) such that ((n) — (X,pb) implies (state(n), (X,pb)) E 
T. 

The execution tree of an automaton M = (S, T, sq) under an adversary 
C, denoted by etree(M,(), is the tree obtained from tree(M) by pruning all 
the arcs corresponding to transitions which are not in the group selected by 
£. More formally, etree(M, £) is a fully probabilistic automaton (S' ,T' ,no), 
where 5' C nodes(M), n a is the root of tree(M), and (n, (X',pb')) G T' iff 
A"' = {(/x, n') | (fi, state(n')) 6 A"} and pb'(fj,,n') — pb(fi, state(n')), where 
(X, p6) = ((n). Example: Figure 4 represents the execution tree of the automa- 
ton M of Figure 1, under an adversary £. 

An execution fragment £ is any path (finite or infinite) from the root of 
etree(M, Q. The notation £ < £' means that £ is a prefix of If £ is n 

Po 

ni -^-+ n 2 -!—> . . ., the probability of £ is defined as pb(£) — YliPi- If £ i s maximal, 

Pi P2 

then it is called execution. We denote by exec(M, Q the set of all executions in 
etree(M, (). 

We define now a probability on certain sets of executions, following a standard 
construction of Measure Theory. Given an execution fragment £, let = {£' £ 
exec(M, C) | £ < £} (cone with prefix £). Define pb{C{) = pb(£). Let {C;} ie / be 
a countable set of disjoint cones (i.e. / is countable, and Vi, j. i ^ j => Cj fl Cj = 
0). Then define pb({J ieI C{) — ^2 ieI pb(d). It is possible to show that pb is well 
defined, i.e. two countable sets of disjoint cones with the same union produce the 
same result for pb. We can also define the probablity of an empty set of executions 
as 0, and the probability of the complement of a certain set of executions as the 
complement wrt 1 of the probability of the set. The closure of the cones wrt 
the empty set, the countable union, and the complementation generates what in 
Measure Theory is known as a cr-field. 
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Fig. 3. tree(M), where M is the probabilistic automaton M of Figure 1 



3 The probabilistic asynchronous 7r-calculus 

In this section we introduce the probabilistic asynchronous 7r-calculus (w pa - 
calculus for short) and we give its operational semantics in terms of probabilistic 
automata. 

The 7Tp a -calculus is obtained from the asynchronous 7r-calculus by replacing 
J2i a i-Pi w ith the following probabilistic choice operator 



^PiOLi.Pi 



where the piS represents positive probabilities, i.e. they satisfy pi G (0, 1] and 
J2iPi — 1; an d the cti's are input or silent prefixes. 

In order to give the formal definition of the probabilistic model for 7r pa , we 
find it convenient to introduce the following notation for representing transition 
groups: given a probabilistic automaton (S, T, so) and s G S, we write 
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iff (s, ({(/Uj, Si) | i G I},pb)) G T and Mi G / pi = pb(fii, Sj), where / is an index 

set. When / is not relevant, we will use the simpler notation ,s {-^-> Si}i. We will 

Pi 

also use the notation s {-^+ Sj}i:<Ki)i where <fi(i) is a logical formula depending 

on i, for the set s Sj | i G J and </>(?)}. 

Pi 
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Fig. 4. etree(M, £), where M is the probabilistic automaton M of Figure 1, and (the 
significant part of) £ is defined by C( n i) = Hj C( n 4) — V 



The operational semantics of a 7r pa process P is denned as a probabilistic 
automaton whose states are the processes reachable from P and the T relation 
is defined by the rules in Table 2. In order to keep the presentation simple, we 
impose some restrictions on the syntax of terms (see the caption of Table 2). 
In Appendix A we give an equivalent definition of the operational semantics 
without these restrictions. 

The Sum rule models the behavior of a choice process. Note that all possi- 
ble transitions belong to the same group, meaning that the transition is chosen 
probabilistically by the process itself. Res models restriction on channel y: only 
the actions on channels different from y can be performed and possibly syn- 
chronize with an external process. The probability is redistributed among these 
actions. Par represents the interleaving of parallel processes. All the transitions 
of the processes involved are made possible, and they are kept separated in the 
orininal groups. In this way we model the fact that the selection of the process 
for the next computation step is determined by a scheduler. In fact, choosing a 
group corresponds to choosing a process. Com models communication by hand- 
shaking. The output action synchronizes with all matching input actions of a 
partner, with the same probability of the input action. The other possible tran- 
sitions of the partner are kept with the original probability as well. Close is 
analogous to Com, the only difference is that the name being transmitted is 
private to the sender. Open works in combination with Close like in the stan- 
dard (asynchronous) 7r-calculus. The other rules, Out and Cong, should be 
self-explanatory. 

Example 1. Consider the processes P = recx(l/2 x(y).0 + 1/2 t.X), Q = xy 
and define R = P \ Q. The transition groups starting from R are: 

R Q , R} R{^o,^R} R{^UP} 
L 1/2 1/2 ' L 1/2 1/2 ' L 1 ' 
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Table 2. The late-instantiation probabilistic transition system of the 7r pa -calculus. In 
Sum we assume that all branches are different, namely, if i ^ j, then either Qi ^ ctj, or 
Pi ^ Pj . Furthermore, in Res and Par we assume that all bound variables are distinct 
from each other, and from the free variables. 



Figure 5 illustrates the probabilistic automaton corresponding to R. The above 
transition groups are labeled by I, II and III respectively. 




Fig. 5. The probabilistic automaton of Example 1 



Example 2. Consider the processes P and Q of example 1 and define R = 
(vx)(P | Q). In this case the transition groups starting from R are: 

R{-^R\ R{^0 , -^R} 

L 1 1 L 1/2 1/2 J 

Figure 6 illustrates the probabilistic automaton corresponding to this new def- 
inition of R. The above transition groups are labeled by I and II respectively. 

Next example shows that the expansion law does not hold in -K pa . This should 
be no surprise, since the choices associated to the parallel operator and to the 
sum, in 7r pa , have a different nature: the parallel operator gives rise to nondeter- 
ministic choices of the scheduler, while the sum gives rise to probabilistic choices 
of the process. 

Example 3. Consider the processes R\ — x(z).P \ y(z).Q and R2 = p x(z).(P \ y(z).Q)+ 
(1 — p) y(z).(x(z).P I Q). The transition groups starting from R\ are: 

R 1 { X ^P\y(z).Q} R 1 { y f>x(z).P\Q} 

On the other hand, there is only one transition group starting from R2 , namely: 

R 2 { x -Hp\y(z).Q , y Mx{z).P\Q} 

p i-p 




As announced in the introduction, the parallel operator is associative. This 
property can be easily shown by case analysis. 

Proposition 1. For every process P, Q and R, the probabilistic automata of 
P | (Q | R) and of (P | Q) | R are isomorphic, in the sense that they differ only 
for the name of the states (i.e. the syntactic structure of the processes). 

We conclude this section with a discussion about the design choices of Tr pa . 
3.1 The rationale behind the design of Tv pa 

In defining the rules of the operational semantics of 7r pa we felt there was only 
one natural choice, with the exception of the rules Com and Close. For them 
we could have given a different definition, with respect to which the parallel 
operator would still be associative. 

The alternative definition we had considered for Com was: 

, P P '> Q <f* Q ^ 3i. ft = x{y) and 
Com' p - P W 

P\Q{^P'\ Qi}i: W =x(„) Vi. V 'i = P*/ E r . H=x ( y) Pj 

and similarly for Close. 

The difference between Com and Com' is that the latter forces the process 
performing the input action (Q) to perform only those actions that are compat- 
ible with the output action of the partner (P). 

At first Com' seemed to be a reasonable rule. At a deeper analysis, however, 
we discovered that Com' imposes certain restrictions on the schedulers that, 
in a distributed setting, would be rather unnatural. In fact, the natural way of 
implementing the n a communication in a distributed setting is by representing 
the input and the output partners as processes sharing a common channel. When 
the sender wishes to communicate, it puts a message in the channel. When the 



receiver wishes to communicate, it tests the channel to see if there is a message, 
and, in the positive case, it retrieves it. In case the receiver has a choice guarded 
by input actions on different channels, the scheduler can influence this choice by 
activating certain senders instead of others. However, if more than one sender 
has been activated, i.e. more than one channel contains data at the moment 
in which the receiver is activated, then it will be the receiver which decides 
internally which channel to select. Com models exactly this situation. Note that 
the scheduler can influence the choices of the receiver by selecting certain outputs 
to be premises in Com, and delaying the others by using Par. 

With Com', on the other hand, when an input-guarded choice is executed, 
the choice of the channel is determined by the scheduler. Thus Com' models the 
assumption that the scheduler can only activate (at most) one sender before the 
next activation of a receiver. 

The following example illustrates the difference between Com and Com'. 

Example 4- Consider the processes Pi — X\y, P 2 — x 2 z, Q — 1/3 Xi(y).Qi + 
2/3 x 2 (y).Q 2 , and define R — {vx-\){vx 2 )(Pi \ P 2 \ Q)- Under Com, the transi- 
tion groups starting from R are 

R{^ Ri,^ R 2 \ R{^Ri} R{^>R 2 } 

1/3 2/3 1 1 

where R\ = {vxi)(i>x 2 ){P 2 \ Qi) and R 2 = (vxi){vx 2 )(P\ \ Q 2 ). The first group 
corresponds to the possibility that both x\ and x 2 are available for input when 
Q is scheduled for execution. The other groups correspond to the availability of 
only x\ and only x 2 respectively. 

Under Com', on the other hand, the only possible transition groups are 

Note that, in both cases, the only possible transitions are those labeled with r, 
because x\ and x 2 are restricted at the top level. 

4 Solving the electoral problem in 7r pa 

In [9] it has been proved that, in certain networks, it is not possible to solve 
the leader election problem by using the asynchronous 7r-calculus. The problem 
consists in ensuring that all processes will reach an agreement (elect a leader) 
in finite time. One example of such network is the system consisting of two 
symmetric nodes Pq and Pi connected by two internal channels xo and x\ (see 
Figure 7). 

In this section we will show that it is possible to solve the leader election 
problem for the above network by using the 7r pa -calculus. Following [9], we will 
assume that the processes communicate their decision to the "external word" by 
using channels oo and o\. 

The reason why this problem cannot be solved with the asynchronous ir- 
calculus is that a network with a leader is not symmetric, and the asynchronous 




Fig. 7. A symmetric network P = vxo vxi(Po | -Pi). The restriction on xo, x\ is made 
in order to enforce synchronization. 



7r-calculus is not able to force the initial symmetry to break. Suppose for example 
that P would elect itself as the leader after performing a certain sequence of 
actions. By symmetry, and because of lack of synchronous communication, the 
same actions may be performed by P 1 . Therefore P 1 would elect itself as leader, 
which means that no agreement has been reached. 

We propose a solution based on the idea of breaking the symmetry by repeat- 
ing again and again certain random choices, until this goal has been achieved. 
The difficult point is to ensure that it will be achieved with probability 1 under 
every possible scheduler. 

Our algorithm works as follows. Each process performs an output on its 
channel and, in parallel, tries to perform an input on both channels. If it succeeds, 
then it declares itself to be the leader. If none of the processes succeeds, it is 
because both of them perform exactly one input (thus reciprocally preventing 
the other from performing the second input). This might occur because the 
inputs can be performed only sequentially 1 . In this case, the processes have to 
try again. The algorithm is illustrated in Table 3. 

In the algoritm, the selection of the first input is controlled by each process 
with a probabilistic blind choice, i.e. a choice whose branches are prefixed by 
a silent (r) action. This means that the process commits to the choice of the 
channel before knowing whether it is available. It can be proved that this com- 
mitment is essential for ensuring that the leader will be elected with probability 
1 under every possible adversary scheduler. The distribution of the probabilities, 
on the contrary, is not essential. This distribution however affects the efficiency 
(i.e. how soon the synchronization protocol converges). It can be shown that it 
is better to split the probability as evenly as possible (hence 1/2 and 1/2). 



1 In the 7r pa -calculi and in most process algebra there is no primitive for simultaneous 
input action. Nestmann has proposed in [7] the addition of such construct as a way 
of enhancing the expressive power of the asynchronous 7r-calculus. Clearly, with this 
addition, the solution to the electoral problem would be immediate. 
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Table 3. A n pa solution for the electoral problem in the symmetric network of Figure 7. 
Here i € {0, 1} and ffi is the sum modulo 2. 



After the first input is performed, a process tries to perform the second input. 
What we would need at this point is a priority choice, i.e. a construct that 
selects the first branch if the prefix is enabled, and selectes the second branch 
otherwise. With this construct the process would perform the input on the other 
channel when it is available, and backtrack to the initial situation otherwise. 
Since such construct does not exists in the 7r-calculi, we use probabilities as a 
way of approximating it. Thus we do not guarantee that the first branch will 
be selected for sure when the prefix is enabled, but we guarantee that it will be 
selected with probability close to 1: the symbol e represents a very small positive 
number. Of course, the smallest e is, the more efficient the algorithm is. 

When a process, say Pq, succeeds to perform both inputs, then it declares 
itself to be the leader. It also notifies this decision to the other process. For the 
notification we could use a different channel, or we may use the same channel, 
provided that we have a way to communicate that the output on such chan- 
nel has now a different meaning. We follow this second approach, and we use 
boolean values t and f for messages. We stipulate that t means that the leader 
has not been decided yet, while f means that it has been decided. Notice that 
the symmetry is broken exactly when one process succeeds in performing both 
inputs. 



In the algorithm we make use of the if-thcn-clsc construct, which is defined 
by the structural rules 

if t then P else Q = P if f then P else Q = Q 

As discussed in [8], these features (booleans and if-then-else) can be translated 
into the asynchronous 7r-calculus, and therefore in ir pa . 

Correctness of the algorithm 

We prove now that the algorithm is correct, namely that the probability that a 
leader is eventually elected is 1 under every scheduler. 

In the following we use pairs to denote the r transitions corresponding to the 
execution of the blind choice. A pair (i, j) will mean that process i has selected 
channel j. We will call such transitions random draws. 

Definition 1. A sequence d\, d%, . . . , d n , . . . of random draws is alternated iff 
V k, ifdk = then d k+1 = (i,j) or d k +i = (i © l,j © 1). 

Note that a sequence is alternated iff for every two draws (i, j), (i', j') if i = i' 
then j — j'. 

For the proof, we are going to consider, at first, a modified algorithm where 
the inner choice ((1 — e) ... + £.. .) is replaced by a priority choice. 

Lemma 1. Consider an execution fragment £ of the process vxq vx\(Pq \ P\) 
and the algorithm of Table 3 modified by using the priority choice. Let di,d%, . . . ,d, 
be the sequence of random draws in £. Assume that, for some k < n, dk — (i,j), 
dk+i = . . . = d n _\ = (« © 1, j © 1), and d n = (i © Then, under every 

adversary, all the executions in the cone of £ terminate with the election of a 
leader, and they contain no more random draws. 

Proof (Sketch) If at a certain point both processes have committed to the same 
channel, then only one of them will be able to perform the input action on that 
channel, whereas the other one is blocked waiting to perform an input action on 
the same channel. The process that is able to make the input action will therefore 
be able to make the second input action too and will become the leader. The 
other process will finally be enabled to make the input on the channel on which it 
was blocked, and will receive the notification that the other process has become 
the leader. Neither processes select the recursive branch and therefore no more 
random draws are made. □ 

Lemma 2. The probability that a sequence of random draws of length n is al- 
ternated is l/2 n ~ 1 . 



Proof Obvious, by induction on n, and by the observation that the random 
draws are independent. □ 



Proposition 2. Consider the process vx uxi(Po \ Pi) and the algorithm of 
Table 3 modified by using the priority choice. The probability of the executions 
which contain (at least) n random draws, for n > 2, is at most l/2™~ 2 under 
every adversary. 

Proof By Lemma 1 the first n — 1 random draws must be alternated (other- 
wise the leader would have been elected earlier). By Lemma 2 such alternated 
sequence has probability l/2™~ 2 . Note that the maximum probability l/2"~ 2 
corresponds to the worst possible case of an adversary which tries to delay the 
election of a leader as much as possible, by scheduling the processes in such a 
way that a process tries to perform the second input only when the channel is 
not available. □ 



We are now ready to prove the correctness of our algorithm. 

Proposition 3. Consider the process vxq isxi(Po \ Pi) and the algorithm of 
table 3 (with no modifications). The probability of the executions which contain 
(at least) n random draws, for n > 2, is at most 

(l + e)"~ 2 

2 n-2 

under every adversary. 

Proof The proof proceeds like in the proof of Proposition 2, with the exception 
that we need to consider also the possibility that a leader is not elected after a 
draw which breaks the alternation. Such event occurs with probability e. The 
probability that an execution contains n — 1 draws where the alternation is 
violated k times is therefore 

1 (n~2)l k 
2™- 2 k\{n-2-k)\ 

The sum of these probability for all possible values of k is 

1 y (n-2)! k = (1+6)- 2 
2 n ~ 2 £-< o k\(n - 2-k)\ 2"- 2 

□ 



As a consequence of this proposition we finally obtain the correctness of our 
algorithm: 

Theorem 1. Consider the process vxq vxi(Pq \ Pi) and the algorithm of table 
3 (without modifications) . The probability that the leader is eventually elected is 
1 under every adversary. 



Proof An execution does not elect a leader only if it is infinite and contains 
an infinite number of random draws. By Proposition 3 the probability of the 
execution fragments which contain at least n random draws is at most 



We conclude this section with the observation that, if we modify the blind 
choice to be a choice prefixed with the input actions which come immediately 
afterward, then the above theorem would not hold anymore. In fact, we can de- 
fine a scheduler which selects the processes in alternation, and which suspends 
a process, and activates the other, immediately after the first has made a ran- 
dom choice and performed an input. The latter will be forced (because of the 
guarded choice) to perform the input on the other channel. Then the scheduler 
will proceed with the first process, which at this point can only backtrack. Then 
it will schedule the second process again, which will also be forced to backtrack, 
and so on. Since all the choices of the processes are obligated in this scheme, the 
scheduler will produce an infinite (unsuccessful) execution with probability 1. 

5 Implementation of tz pcl in a Java-like language 

In this section we propose an implementation of the synchronization- closed Tr pa - 
calculus, namely the subset of n pa consisting of processes in which all occurrences 
of communication actions x{y) and xy are under the scope of a restriction oper- 
ator vx. This means that all communication actions are forced to synchronize. 

The implementation is written in a Java-like language following the idea 
outlined in Section 3.1. It is compositional wrt all the operators, and distributed, 
i.e. homomorphic wrt the parallel operator. 

Channels are implemented as one-position buffers, namely as objects of the 
following class: 

class Channel { 

Channel message; 
boolean isEmpty; 



(1 + e) 



2 n-2 

ince e < 1, this probability converges to for n — > oo. 



□ 



public 



void Channel () { 
isEmpty = true; 



> 



public 



synchronized void send (Channel y) { 
while (! isEmpty) waitO; 
isEmpty = false; 
message = y; 
notifyAll () ; 



> 



public synchronized GuardState test_and_receive() { 
GuardState s = new GuardState () ; 
if (! isEmpty) { s.test = true; 

s. value = message; 
isEmpty = true; 
return s; } 
else { s.test = false; 

s. value = null; 
return s; } 



class GuardState { 

public boolean test; 
public Channel value; 

} 

The methods send and test_and_receive are used for implementing the 
output and the input actions respectively. They are both synchronized, because 
the test for the emptyness (resp. non-emptyness) of the channel, and the subse- 
quent placement (resp. removal) of a datum, must be done atomically. 

Note that, in principle, the receive method could have been defined dually to 
the send method, i.e. read and remove a datum if present, and suspend (wait) 
otherwise. This definition would work for input prefixes which are not in the 
context of a choice. However, it does not work for input guarded choice. In 
order to simulate correctly the behavior of the input guarded choice, in fact, we 
should check continuously for input events, until we find one which is enabled. 
Suspending when one of the input guards is not enabled would be incorrect. Our 
definition of test_and_receive circumvent this problem by reporting a failure 
to the caller, instead of suspending it. 

Given the above representation of channels, the 7r pa -calculus can be imple- 
mented by using the following encoding [(•)]: 

Probabilistic choice 

m n 
i— 1 i—m+1 

{ boolean choice = false; 

GuardState s = new GuardState () ; 
float x; 

Random gen = new Random () ; 
while (! choice) { 

x = 1 - gen.nextFloat () ; °/, nextFloatO returns a real number in [0,1) 



if (0 < x <= pi ) 

{ s = xl .test_and_receive() ; 

if (s.test) { y = s. value; [(Pi)] 
choice = true; } 

} 

if (f>i +p 2 + ■■■ +Pm-1 < X <= pi +p 2 + ... +p m ) 

{ s = xm.test_and_receive() ; 

if (s.test) { y = s. value; [( P m )] 
choice = true; } 

} 

if (pi +p 2 + ••• +Pm < X <= pi +p 2 + ... +Pm+l) 
i iPm+l} 

choice = true; } 

if (pi +p 2 + ■■■ +Pn-1 < X <= pi +p 2 + ... +p n ) 
U(Pn)} 

choice = true; } 

} 

Note that with this implementation, when no input guards are enabled, the 
process keeps performing internal (silent) actions instead of suspending. 

Output action 

[(xyj = {x.send(y) ;} 



Restriction 

IvxP)] = {Channel x = new Channel (); [( P )] } 



Parallel If our language is provided with a parallel operator, then we can just 
have a homomorphic mapping: 

[(Pi|P 2 )] = [(Pi)]|[(P 2 )] 

In Java, however, there is no parallel operator. In order to mimic it, a possibility 
is to define a new class for each process we wish to compose in parallel, and then 
create and start an object of that class: 



class processPl extends Thread { 
public void run() { 

I Pi)} 

y 

y 



[(Pi | P2J = { new processPl. start (); [( P 2 )] } 



Recursion Remember that the process recxP represents a process X defined 
as X = P, where P may contain occurrences of X. For each such process, define 
the following class: 

class X { 

static public void execO { 

IP)] 

} 

} 

Then define: 

[{rec x P} = { X.execO ; } 
[(XJ ={ X.execO; } 
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Appendix A 

Table 4 presents an equivalent transition system for the 7r pa -calculus where no 
assumptions on the bound variables are made. Note that the side condition 
on the rule Sum is necessary for treating cases like 1/2 x(y).0 + 1/2 x(y).0. 
This condition could be eliminated by assuming that the transition groups are 
multiset instead than sets. 



Sum 



Y^iPiOd-Pi Pi}i Pi = Pi/Ey. aj=ai Pj = P i Pi 



Out xy 0} 



P {^U p'} 

° PEN im — x ^y 

vyP CM P'} 



P {J^U Pi\ie 1} 3i€l.y g Mm), 

Res - ViSl.y & 6n(/Xi), and 



vyP {— U vyPi \ i £ I and y g Jh(m)} 



P Ph 

Par £2 Vi. bnUA f\ fn(Q) = 

P|Q{^Pi|Q}i 



P {j^ p'} Q {J^ q. 1 j e /} 

Com i a 

P I Q {-^ P' I i G / and /xi = x(zi)} U P | Q t \ i € I and m + x(zi)} 



P{Mp'} Q{J^ Qi \ ie i} 
Close ~~ 

P I Q {-^ vy{P' I Qi[y/zi\) I « £ J and ^ = a;^)} U P | Qi | z £ / and fn + x( Zl )} 

Pi Pi 

p = p' p' q;} 4 vi. 0; = Qi 

Cong 22 

P{^Q,}, 



Table 4. Alternative formulation of the probabilistic transition system for the 7Tj 
calculus. 



